Re: io_submit with slab free object overwritten

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 2/22/19 4:58 PM, Eric Sandeen wrote:
> On 2/22/19 3:48 PM, Qian Cai wrote:
>>
>>
>> On 2/22/19 4:42 PM, Eric Sandeen wrote:
>>> On 2/22/19 3:07 PM, Qian Cai wrote:
>>>> Reverted the commit 75374d062756 ("fs: add an iopoll method to struct
>>>> file_operations") fixed the problem. Christoph mentioned that the field can be
>>>> calculated by the offset (40 bytes).
>>>
>>> I'm a little confused, you can't revert just that patch, right, because others
>>> in the iopoll series depend on it.  Is the above commit really the culprit, or do
>>> you mean you backed out the whole series?
>>
>> No, I can revert that single commit on the top of linux-next (next-20190222)
>> just fine.
> 
> Sorry for being pedantic, but this commit is still in your tree?  How can this build
> with just 75374d062756 reverted?
> 
> (I'm confused about how simply changing the size of the 2 structures via
> 75374d062756 could cause memory corruption, so trying to really understand
> what got tested...)
> 
> commit 06eca8c02eb3e171dc5721ddca4218d41b09b3aa
> Author: Christoph Hellwig <hch@xxxxxx>
> Date:   Fri Nov 30 08:31:52 2018 -0700
> 
>     block: wire up block device iopoll method
>     
>     Just call blk_poll on the iocb cookie, we can derive the block device
>     from the inode trivially.
>     
>     Reviewed-by: Hannes Reinecke <hare@xxxxxxxx>
>     Reviewed-by: Johannes Thumshirn <jthumshirn@xxxxxxx>
>     Signed-off-by: Christoph Hellwig <hch@xxxxxx>
>     Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
> 
> diff --git a/fs/block_dev.c b/fs/block_dev.c
> index 7758ade..d1277a1 100644
> --- a/fs/block_dev.c
> +++ b/fs/block_dev.c
> @@ -294,6 +294,14 @@ struct blkdev_dio {
>  
>  static struct bio_set blkdev_dio_pool;
>  
> +static int blkdev_iopoll(struct kiocb *kiocb, bool wait)
> +{
> +       struct block_device *bdev = I_BDEV(kiocb->ki_filp->f_mapping->host);
> +       struct request_queue *q = bdev_get_queue(bdev);
> +
> +       return blk_poll(q, READ_ONCE(kiocb->ki_cookie), wait);
> +}
> +
>  static void blkdev_bio_end_io(struct bio *bio)
>  {
>         struct blkdev_dio *dio = bio->bi_private;
> @@ -412,6 +420,7 @@ __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, int nr_pages)
>                                 bio->bi_opf |= REQ_HIPRI;
>  
>                         qc = submit_bio(bio);
> +                       WRITE_ONCE(iocb->ki_cookie, qc);
>                         break;
>                 }
>  
> @@ -2078,6 +2087,7 @@ const struct file_operations def_blk_fops = {
>         .llseek         = block_llseek,
>         .read_iter      = blkdev_read_iter,
>         .write_iter     = blkdev_write_iter,
> +       .iopoll         = blkdev_iopoll,
>         .mmap           = generic_file_mmap,
>         .fsync          = blkdev_fsync,
>         .unlocked_ioctl = block_ioctl,
> 

Sorry, I had a copy-and-paste error here while looking at the surrounding
commits. I meant,

Reverted 06eca8c02eb3 (block: wire up block device iopoll method) fixed the problem.



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux